utilities/telegraf-plugins#4: Exit node specific stats



Issue Information

Issue Type: issue
Status: closed
Reported By: btasker
Assigned To: btasker

Milestone: tor-plugin v0.1
Created: 2022-05-13T10:10:43.103Z


Labels: Fixed/Done Improvement tor-daemon-plugin

Description

Whilst a lot of the stats we collected are pertinent to exit nodes, we don't really collect any of the stats that are only relevant to exit nodes.

It'd be useful to go over and see which of those we can/should collect.

From the top of my head, it'd be useful to report

  • Number of ipv4 exit policies
  • Number of ipv6 exit policies

And perhaps also a breakdown of

  • policy scopes (i.e. how many accept any destination, how many are limited to specific IPs)
  • policy actions (how many accept vs reject)


Toggle State Changes

Activity


assigned to @btasker

It occurred to me that I don't actually need an exit to collect the stats - a relay should provide them too.

Have spun one up to experiment on

$ docker run --rm -d \
--name tor_relay -p 9051:9051 \
-v $PWD/torrc_1:/etc/tor/torrc connectical/tor

It looks like GETINFO returns a comma separated list of policies rather than a multi-line response

GETINFO exit-policy/default
250-exit-policy/default=reject *:25,reject *:119,reject *:135-139,reject *:445,reject *:563,reject *:1214,reject *:4661-4666,reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*
250 OK
GETINFO exit-policy/ipv4
250-exit-policy/ipv4=reject *:*
250 OK
GETINFO exit-policy/ipv6
250-exit-policy/ipv6=reject *:*
250 OK

This should be fairly straightforward to consume and break-down then.

If the tor instance isn't a relay, trying to fetch exit policy information returns a non 2xx status code:

GETINFO exit-policy/ipv4
552 Not running in server mode
GETINFO exit-policy/ipv6
552 Not running in server mode

The only catch is we don't want to report this as a stats fetch failure - it's a legitimate response.

This is now implemented - assuming the Tor daemon is running in server mode, we'll collect the following

  • ipv4_exit_policy_num_total: Total number of exit policies
  • ipv4_exit_policy_num_accept: Total number of accept exit policies
  • ipv4_exit_policy_num_reject: Total number of reject exit policies
  • ipv4_exit_policy_num_wildcard: Total number of policies that use a * for host
  • ipv4_exit_policy_num_specific: Total number of exit policies that refer to a specific host
  • ipv4_exit_policy_num_unique_hosts: Number of unique hosts in exit policies
  • ipv4_exit_policy_num_unique_ports: Number of unique ports in exit policies
  • ipv4_exit_policy_num_wildcard_port: Number of policies with wildcarded ports
  • ipv4_exit_policy_num_specific_port: Number of policies mentioning specific port
  • ipv6_exit_policy_num_total: Total number of exit policies
  • ipv6_exit_policy_num_accept: Total number of accept exit policies
  • ipv6_exit_policy_num_reject: Total number of reject exit policies
  • ipv6_exit_policy_num_wildcard: Total number of policies that use a * for host
  • ipv6_exit_policy_num_specific: Total number of exit policies that refer to a specific host
  • ipv6_exit_policy_num_unique_hosts: Number of unique hosts in exit policies
  • ipv6_exit_policy_num_unique_ports: Number of unique ports in exit policies
  • ipv6_exit_policy_num_wildcard_port: Number of policies with wildcarded ports
  • ipv6_exit_policy_num_specific_port: Number of policies mentioning specific port

With the resulting LP looking like

ipv4_exit_policy_num_total=1i,ipv4_exit_policy_num_accept=0i,ipv4_exit_policy_num_reject=1i,ipv4_exit_policy_num_wildcard=1i,ipv4_exit_policy_num_specific=0i,ipv4_exit_policy_num_unique_hosts=0i,ipv4_exit_policy_num_unique_ports=1i,ipv4_exit_policy_num_wildcard_port=1i,ipv4_exit_policy_num_specific_port=0i,ipv6_exit_policy_num_total=1i,ipv6_exit_policy_num_accept=0i,ipv6_exit_policy_num_reject=1i,ipv6_exit_policy_num_wildcard=1i,ipv6_exit_policy_num_specific=0i,ipv6_exit_policy_num_unique_hosts=0i,ipv6_exit_policy_num_unique_ports=1i,ipv6_exit_policy_num_wildcard_port=1i,ipv6_exit_policy_num_specific_port=0i

We might want to tweak the port counters though.

Exit policies allow a range to be specified, so an exit policy like this is legal

ExitPolicy accept *:79 # finger
ExitPolicy accept *:80-81 # HTTP, HTTP alt.
ExitPolicy accept *:88 # kerberos

Currently we'd count this a 3 ports being specified, but really it's 4.

I'd also like to collect per-action stats. Currently we return a count of total accept and total reject, but the other stats are completely dis-associated from the action.

It'd be useful to be able to show that there are n unique hosts associated with accept, and y unique ports associated with reject

Actually, we've got trouble...

It looks like GETINFO exit-policies/ipv4 sometimes returns a multi-line response:

GETINFO exit-policy/ipv4
250+exit-policy/ipv4=
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject 178.128.62.131:*
reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:563
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*
.
250 OK

Will have to adjust the function to detect and handle this.

verified

mentioned in commit bf5ce11

Commit: github-mirror/telegraf-plugins@bf5ce11d11fcfdf33d57c86b0cbf6e0c03555e00 
Author: B Tasker                            
                            
Date: 2022-05-14T12:56:43.000+01:00 

Message

Rework exit policy stats so that they can handle a multi-line response from the Tor daemon (utilities/telegraf-plugins#4)

+68 -42 (110 lines changed)
verified

mentioned in commit 8311615

Commit: github-mirror/telegraf-plugins@8311615174f044722b5bae278908c5908d64a7a8 
Author: B Tasker                            
                            
Date: 2022-05-14T12:22:28.000+01:00 

Message

Collect stats on exit policies (utilities/telegraf-plugins#4)

This collects aggregate statistics on the number of policies, what they relate to and what action they specify

+143 -0 (143 lines changed)

Closing this as Done - I think we've collected everything we can

verified

mentioned in commit 8b60035

Commit: github-mirror/telegraf-plugins@8b6003510480be323cbcb1589a0c1d1edbf2dee7 
Author: B Tasker                            
                            
Date: 2022-05-14T13:27:56.000+01:00 

Message

Provide breakdown of counters between accept and reject (utilities/telegraf-plugins#4)

+65 -3 (68 lines changed)